Opsgenie alert "Kube_Client_Certificate_Expiration"

6/2/2020

We are receiving below alert in opsgenie, So please suggest how to do basic checks and fixing the issue

Labels
alertname = KubeClientCertificateExpiration
cluster = cluster.example.com
job = apiserver
prometheus = openshift-monitoring/k8s
severity = warning
Annotations
message = Kubernetes API certificate is expiring in less than 7 days.

Thanks in advance

Ravi kumar G

-- Ravikumar G
kubernetes

1 Answer

6/2/2020

This could be because Kubernetes API Server Client certificate is expiring. This is the certificate that Kubernetes API Server uses to talk to kubelet.

You could verify this by capturing network traffic on the kubelet https port using tcpdump and analyzing the tcp handshakes using wireshark (filter "tls.handshake.client_cert_vrfy.sig") and inspecting the client certificates.

Also check if there is any pending csr by kubectl get csr --sort-by='{.metadata.creationTimestamp}' and approve them using kubectl certificate approve csrname

-- Arghya Sadhu
Source: StackOverflow